An unauthorized user gained access to Slack’s GitHub repositories. The user managed to download the repositories before Slack plugged the leak.
The damage appears limited, as none of the stolen repositories involve Slack’s source code or user data. The organization stresses that source code and user data are stored elsewhere, but did not specify what the stolen repositories were used for.
In a statement, Slack explains that it received a GitHub notification about suspicious activity on December 29th 2023. Further investigation revealed that an unknown individual had used stolen access tokens to access the organization’s private GitHub repositories.
Access tokens are a form of login credentials. The person in question was using access tokens from Slack employees. According to Slack, the access tokens were stolen sometime in the past. The organization did not disclose how and when.
Unclear
In the statement, Slack repeatedly stresses that the access tokens did not provide access to repositories for source code or user data. The contents of the stolen repositories are a mystery. It’s possible that the repositories were used for development environments, but nothing has been confirmed.
Slack claims that users don’t need to take action. Whatever was stored in the repositories doesn’t appear to affect customers. Slack says that the leak has been closed. The stolen access tokens were blocked and the login credentials of affected employees have been rotated.
GitHub
GitHub is an extremely popular repository service for code. The incident at Slack underscores why. GitHub’s automated systems regularly manage to detect unauthorized users. The platform constantly scans for suspicious behaviour, providing organizations like Slack a safety net when things go wrong internally — for example, due to stolen access tokens.
Like Slack, security company Okta was recently bailed out by GitHub. Back in December 2022, the organization received a GitHub security alert about unauthorized access to repositories. Okta later found out that one or more unauthorized users had stolen company source code.
The cause remains unknown. BleepingComputer broke the story based on a leaked memo from December 2022. At the time, Okta promised to publish a blog about the incident by the end of the day. Meanwhile, weeks have passed, and there’s still no trace of a statement on the company’s blog page.